Unsafe or Blank attribute value for attribute or The following record does not have a username Error when Syncing a Directory

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

Synchronisations in Confluence do not complete successfully.

The following appears in the atlassian-confluence.log:

2013-01-26 21:25:59,436 INFO [http-8090-7] [directory.ldap.util.DirectoryAttributeRetriever] getValueFromAttributes Unsafe or Blank attribute value for attribute <mail>: ''.
2013-01-26 21:25:59,436 ERROR [http-8090-7] [ldap.mapper.entity.LDAPUserAttributesMapper] getUsernameFromAttributes The following record does not have a username: 

{ ... < a user object with all attribute > ...}

The attribute <mail> above represents the attribute being used for the username. This can be any attribute.

 

You may also see this in the logs:

2013-01-26 22:12:24,144 ERROR [scheduler_Worker-2] [ldap.mapper.entity.LDAPUserAttributesMapper] getUsernameFromAttributes The following record does not have a username:

Cause

This is caused by records in the LDAP which have either empty or non-existent attributes for the attribute defined as the username. Eg, you may set username to 'cn' in Confluence; the sync will fail in the above manner if it encounters a record which either does not have a cn attribute, or where the cn attribute does not contain a value. This is more likely to occur with attributes like 'mail' that may not be required by the LDAP structure. 

Resolution

  1. You can configure the directory to limit the objects that are synchronised, by setting advanced schema settings (instructions are here: Connecting to an LDAP Directory), or by using LDAP search filters.

  2. If you cannot limit the sync to exclude the invalid objects, you will need to clean the data in your LDAP directory. You must ensure that the attribute you are using for the username:
    • Is unique across the LDAP directory - you cannot have two records with the same username
    • Is a required field in the LDAP directory - you cannot have blank usernames
    • Is not a space or newline character - this is invalid but will still be returned by (attribute=*)
    • Is singular in the LDAP user object - you cannot use an attribute that can have multiple entries in the one object. Eg, if you have multiple 'cn' attributes in an object, such as cn=Elizabeth and cn=Beth, you must choose another attribute to use for the username.

  3. Alternatively you can use an Internal Directory with LDAP Authentication. This type of directory does not synchronise but simply checks/adds users as they attempt to log in.
Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.